As organizations continue to come to grips with the fact that third-party risks are extremely dangerous to any business regardless of its size or industry - firms are examining what they need to build up their third-party risk management programs.
In this article, Kelly White, founder of RiskRecon, a Mastercard Company, and Jake Bernardes, CISO of Whistic, discuss the must-haves when you are looking to build or strengthen a TPRM program.
Kelly White: What's at stake here is getting the support and sponsorship within your organization to build up a third-party risk program. The first step is identifying your suppliers and the risk relationship that you have with them so that you can properly treat them. A lot of them are not going to require much treatment because there's not a lot of risk there, but knowing where that risk resides is important, and everything kind of follows from that. Now I'll put an asterisk on that, don't NOT do anything.
Certainly, manage the risk you know you have. You need to be embedded into the business and into procurement so that you can have that shared common record of, "Who are our suppliers and what's the risk relationship, and why?" Then you can be well positioned to treat the risk. I think a lot of companies are surprised, "Oh, I didn't know they had our data.”
Jake Bernardes: I think vendor risk management is bidirectional. There are those that I'm assessing in my supply chain, and I'm part of the people's supply chains over here. I think your points cannot be understated. Very few businesses I've been in know and can list all their vendors. The other point that you make, which I think is so valid is actually getting hold of that relationship, actually having some control or input on every vendor intake is really important because otherwise they just come in like the wild West and you are at a point where you can't actually say no to the business and assessing a cybersecurity posture is irrelevant if you have no control of what you do with that vendor.
Conversely, when you are also part of the supply chain you need to understand your own posture. I've been in the world of trying to use those spreadsheets, but it doesn't work. It's not scalable. It's not automatic. Having a tool that enables you to assess vendors and to present your posture to others, and then having companies like RiskRecon involved with third-party data sources gives you another level of trust. Knowing your vendors and controlling how they get in and having a tool to assess them and knowing your cybersecurity posture and having data to back up your posture are key steps.
I think one thing that’s important as well, is that to try and change the way vendor risk management is approached, we need to shift mindsets. We need to get away from the culture of "And here's a 300-question questionnaire, deal with it." Or "This is why I require, meet them, or don't do business with us." We need to get away from that space and that requires a like mind. When you look at Whistic’s security first initiative, that's what we're trying to do. Where we can't do the same thing, trying to get together with other large players and enterprises and trying to have discussions about how we become thought leaders in moving VRM from where it is to where it should be and where it needs to be. think that's also an important part not to forget is to take that kind of culture and to try and be proactive about it.
Download the report here to see the full results from our study and check back to get more of their thoughts on our blog!
